CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 3 of 3

Thread: Client Authentication - Bad SSL Certificate error

  1. #1
    Join Date
    2014-11-23
    Posts
    32
    Rep Power
    0

    Default Client Authentication - Bad SSL Certificate error

    Hi, me again

    I am trying to set up client authentication using https. Instead of clients connecting via telnet port 259 I want them to connect using HTTPS on port 901.
    I have edited the /FWDIR/conf/fwauthd.conf file on the gateway ( fwssd in.ahclientd wait 901 ssl:defaultCert ) and I've done cpstop and cpstart.
    However when I try to connect via a browser on port 901 I get the message "err_bad_ssl_client_auth_cert"
    When I go into smart console and navigate to "Gateway Cluster Properties, VPN clients It shows "This gateway authenticates with cert defaultCert"
    There is no way of changing this. - if I click the dropdown it only gives the option of "defaultCert".
    I have looked in the ICA tool by browsing to the firewall management server on port 18265 but I can't find any trace of "defaultCert" in the list of certificates.
    I've also tried going into Gateway Properties and creating a new certificate for the gateway with a different nickname of newCert and then I've amended the
    /FWDIR/conf/fwauthd.conf file on the gateway ( fwssd in.ahclientd wait 901 ssl:newCert ) and I've and done cpstop and cpstart, but I still get the same browser error "err_bad_ssl_client_auth_cert". I'm guessing that this is because the gateway is set to authenticate with the certificate defaultCert" ?

    I was wondering if any suggestions? A good starting point would be being able to actually view the "defaultCert" which might not exist!
    (I'm running GAIA R80.10. I upgraded from R77.20 by doing a new installation and importing the R77.20 database into R80/10).
    Thanks for any help!

  2. #2
    Join Date
    2018-05-03
    Posts
    1
    Rep Power
    0

    Default Re: Client Authentication - Bad SSL Certificate error

    SSL certificates with legacy client authentication is not supported in 80.10. Not sure what you are trying to achieve.

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,611
    Rep Power
    8

    Default Re: Client Authentication - Bad SSL Certificate error

    Quote Originally Posted by PeterSmith78 View Post
    Hi, me again

    I am trying to set up client authentication using https. Instead of clients connecting via telnet port 259 I want them to connect using HTTPS on port 901.
    I have edited the /FWDIR/conf/fwauthd.conf file on the gateway ( fwssd in.ahclientd wait 901 ssl:defaultCert ) and I've done cpstop and cpstart.
    However when I try to connect via a browser on port 901 I get the message "err_bad_ssl_client_auth_cert"
    When I go into smart console and navigate to "Gateway Cluster Properties, VPN clients It shows "This gateway authenticates with cert defaultCert"
    There is no way of changing this. - if I click the dropdown it only gives the option of "defaultCert".
    I have looked in the ICA tool by browsing to the firewall management server on port 18265 but I can't find any trace of "defaultCert" in the list of certificates.
    I've also tried going into Gateway Properties and creating a new certificate for the gateway with a different nickname of newCert and then I've amended the
    /FWDIR/conf/fwauthd.conf file on the gateway ( fwssd in.ahclientd wait 901 ssl:newCert ) and I've and done cpstop and cpstart, but I still get the same browser error "err_bad_ssl_client_auth_cert". I'm guessing that this is because the gateway is set to authenticate with the certificate defaultCert" ?

    I was wondering if any suggestions? A good starting point would be being able to actually view the "defaultCert" which might not exist!
    (I'm running GAIA R80.10. I upgraded from R77.20 by doing a new installation and importing the R77.20 database into R80/10).
    Thanks for any help!
    I didn't know legacy client auth didn't support ssl on R80.10 but you should really be using captive portal. It should have the same functionality as client auth (well except for telnet auth.. well and RSA next key support but that is coming in r80.20 i think).

Similar Threads

  1. Client Authentication: timeout error
    By johann.spies in forum Authentication
    Replies: 1
    Last Post: 2011-10-04, 13:28
  2. Single VPN Authentication using Certificate
    By giuffrolo in forum Authentication
    Replies: 3
    Last Post: 2009-02-26, 07:04
  3. Auto-logon for certificate based authentication?
    By esacpug in forum Authentication
    Replies: 1
    Last Post: 2007-11-12, 12:51
  4. Forcing Certificate Authentication on Secureclient
    By Joncon in forum SecureClient/SecuRemote
    Replies: 0
    Last Post: 2006-06-08, 11:20
  5. Certificate authentication
    By valery in forum Authentication
    Replies: 0
    Last Post: 2006-06-02, 11:35

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •